MyID configuration options

2.4 MyID configuration options

SSRP uses the following MyID configuration options:

Allow derived credential requests to create accounts

This option appears on the Issuance Processes page of the Operation Settings workflow

If this setting is referred to in the audit trail, it appears using the internal name DERIVED CREDENTIALS ALLOW IMPORT USERS.

Must be set to Yes to allow SSRP to issue a derived credential to a cardholder whose original credential was issued by a different system. The unknown user is added to MyID.

When this option is set to Yes, when a trusted credential is used to import a new user into MyID using SSRP, MyID creates a new group in which the user will be placed if the required group does not already exist. For PIV certificates that contain a FASC-N, the Agency code is used in the group name (constructed as Agency - <agencyCode> – for example, Agency - 0001). For certificates that do not contain a FASC-N, the organizational unit identified in the subject distinguished name is used. In each case, MyID attempts to identify existing groups using the respective identifiers.

If a matching group is found and the group is associated with an LDAP configuration, the LDAP configuration is also used for the imported user.

If a matching group is not found, but the subject distinguished name in the trusted credential conforms with the distinguished name format used in LDAP v3 directories, then MyID attempts to determine which LDAP the user belongs to. If MyID is unable to determine an appropriate LDAP, either because the subject DN does not match a configured LDAP or the DN is not LDAP v3 compliant, the Default ADS LDAP connection will be used (if configured).

Finally, if an LDAP connection was identified, the imported user is associated with the LDAP. If MyID has been unable to determine a suitable LDAP connection by means described, the imported user will not be associated with an LDAP.

Assign unmatched new accounts to default directory

This option appears on the LDAP page of the Operation Settings workflow.

When a new user account is created in MyID, the user OU may not be able to be matched to a MyID group that is linked to a directory OU; set this option to Yes to link the account to the default directory registered with MyID.
Synchronize new accounts with directory

This option appears on the LDAP page of the Operation Settings workflow.

If this setting is referred to in the audit trail, it appears using the internal name DERIVED CREDENTIALS SYNC NEW USERS WITH LDAP.

SSRP does not import the user's email address from a PIV card, since the email address is not present on the PIV Authentication certificate. If you want to issue (email) signing/encryption certificates as derived credentials, and you have the appropriate data in your LDAP directory, you can enable the Synchronize new accounts with directory feature so that additional data, including the email address, is imported from the directory

If this option is set to Yes, immediately after importing an unknown user MyID will attempt to pull extended details for that user from LDAP. A match will first be attempted using the DN of the certificate used to make the request. If no match is found, and the certificate contains a UPN, a second attempt will be made to match against the UPN. If both of these fail to match, no further data will be imported for the account.

This approach allows the system to consolidate users with multiple DNs but a common UPN into a single account, making collection easier.

Note: If you set the Synchronize new accounts with directory option to Yes, you must set the Disable on removal from directory option (on the LDAP page of the Operation Settings workflow) to No; if you do not do this, newly-created accounts that do not match a directory entry will become disabled, preventing the issuance of a derived credential.

Note: If this feature is enabled, and the user is matched against the UPN, the user's DN will be imported from the directory. If the DN in the directory does not match the DN on the original PIV card, this can cause the PIV derived credential to be issued with the DN from the directory, which may differ from the DN on the original PIV Authentication certificate.
Update email address from derivation

This option appears on the Certificates page of the Operation Settings workflow.

Set this option to Yes to update the MyID record for the derived credential owner with the email address obtained from the certificate used for derivation.

The default is No.
Limit derived credential lifetime to deriving credential

This option appears on the Certificates page of the Operation Settings workflow.

Set this option to Yes to ensure that any derived credentials created do not exceed the lifetime of the deriving certificate. If the lifetime of the derived credential (as determined by the Lifetime setting in the credential profile or the MaxRequestExpiryDate set for the person in the Lifecycle API) is greater than the lifetime of the presented certificate, the lifetime of the derived credential is lowered to match the expiry date of the deriving certificate.

The default is No.

Note: Some CAs do not allow control over the time portion of the certificate expiry. When MyID sets the lifetime of the derived credential, the date is aligned with the lifetime of the deriving certificate, but the time may not match exactly, depending on the certificate authority being used.

It is important that if the hosting MyID system has any kind of LDAP sync enabled, such as background update, that the Synchronize new accounts with directory configuration option is configured ON. Failing to do this may cause inconsistent behavior due to LDAP synchronization schedules.

Note: Group default roles relate only to the Add Person and Edit Person workflows, and as such are not applied to users imported through SSRP. Roles that are configured to be imported from LDAP will be assigned to the newly-created user account. Any roles applied to user accounts by SSRP override any role restrictions in MyID.

2.4.1 Setting the credential check period

By default, seven days after MyID issues derived credentials, it checks the original credentials that were used to request the derived credentials. If, during this period, the original credentials became no longer valid (for example, if the smart card was canceled), MyID revokes the derived credentials.

The full device is canceled, not individual certificates on the device. If the device has archived certificates issued as derived credentials, these are also revoked, in addition to the authentication and signing certificates.

Note: MyID does not distinguish between the certificate being suspended or revoked; if it is on the CRL, it revokes the derived credentials.

The reason for cancellation is included in the audit information for troubleshooting purposes; this states that it was due to the PIV certificate being revoked. If your system is configured for device cancellation notifications, these are sent for the revoked derived credentials.

You must make sure that MyID can access the CRL. If the CRL is not available, MyID does not carry out any revocation, and logs the error in the audit trail. There may be a lag between the PIV issuer revoking the PIV credential and the CRL being updated and republished.

You must make sure that the PIV Issuer carries out PIV card revocation in appropriate situations; this feature relies on this step occurring to identify and trigger the revocation of derived credentials.

You can adjust the time period for the credential check.

Alternatively, you can configure MyID to repeat the revocation check at regular intervals. In this case, MyID checks the status of the original credentials at the specified interval until the issued derived credentials are canceled or have expired.

To configure the credential checks:

From the Configuration category, select Operation Settings.
On the Certificates tab, set the following:
- Derived credential revocation check offset – set to the number of days after issuing derived credentials that you want MyID to check the original credentials.
- Derived Credential Revocation Check Interval – set to the number of hours between repeated checks of the original credentials. By default this is 0, which means that the check is not repeated.
  
  Note: If you set this option to a value greater than 0, it overrides the Derived credential revocation check offset setting.
Click Save changes.

2.4.2 Determining which cards are available for derived credentials

You may want to configure your system to issue derived credentials only from cards that have been issued by specific federal agencies. To do this, you can match the agency code in the FASC-N.

To determine which cards you can use to request derived credentials:

From the Configuration category, select the Operation Settings workflow.
Click the Certificates tab.
Set the following options:
- Cards Allowed For Derivation
  
  Set this option to a regular expression that will be matched against the ASCII version of the card's FASC-N to determine whether the card can be used to request derived credential. If the regular expression matches, the card can be used.
  
  For example:
  
  5400.+
  
  This example allows any card from the agency with code 5400 to be used. The agency code appears at the start of the ASCII FASC-N.
  
  Note: By default, this option is blank, which means that no cards can be used to request derived credentials. To allow all cards to be used, use the following regular expression:
  
  .+
Click Save changes.

2.4.3 Configuring certificate OIDs checked on PIV cards

When a PIV card is presented to the SSRP, MyID verifies that the cardholder can perform two factor authentication with the PIV card, performing the PKI‑AUTH check to verify the PIV-Authentication certificate.

Additionally, MyID verifies the Digital Signature certificate.

These certificate checks ensure that the certificate is valid and was issued from a CA that chains up to a root certificate in the DerivedCredentialTrustedRoots store.

It also checks that the end-user certificate contains the correct OID to mark it as a PIV‑Authentication or Digital Signature certificate.

By default, MyID is configured with the OIDs required by FIPS201-2; however, you can change the OIDs if required (for example, for a CIV certificate).

To configure the OIDs:

From the Configuration category, select Operation Settings.
On the Certificates tab, set the following:
- Derived credential certificate OID – set this to the OID to be checked on the PIV Authentication certificate.
  
  The default value is
  
  2.16.840.1.101.3.2.1.3.13
- Derived credential signing certificate OID – set this to the a semicolon-delimited list of OIDs to be checked on the Digital Signature certificate.
  
  The default value is
  
  2.16.840.1.101.3.2.1.3.6;2.16.840.1.101.3.2.1.3.7;
  2.16.840.1.101.3.2.1.3.16
Click Save changes.